RE: Research on Source Code Review -C

From: Ingevaldson, Dan (ISS Atlanta) (dsiat_private)
Date: Wed Jun 11 2003 - 12:27:37 PDT

Next message: JohnnyRun: "shellcode with standard characters"

Previous message: dong-h0un U: "Re: Small buffer format string attack"
Maybe in reply to: dwar keeper: "Research on Source Code Review -C"
Next in thread: Steven M. Christey: "Re: Research on Source Code Review -C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I recommend reviewing the ISS X-Force presentation titled, "Advanced
Software Vulnerability Assessment", presented at last year's Black Hat
Briefings in Las Vegas.  The presentation outlines some of the
techniques that the X-Force team uses to uncover vulnerabilities in
source code.  In the presentation, we covered the fact that the
automated tools used to uncover flaws aren't good for finding anything
besides the most trivial vulnerabilities.

Presentation details and PowerPoint:
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd

Presentation video:
rtsp://media-1.datamerica.com/blackhat/bh-usa-02/video/BH-USA-02-DOWD-HE
RATH-MEHTA-FLAKE.rm

Regards,
===============================
Dan Ingevaldson
Engineering Manager, X-Force R&D
dsiat_private 
404-236-3160
 
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net 
===============================


-----Original Message-----
From: Nicole Nicholson [mailto:nanicholsonat_private] 
Sent: Wednesday, June 11, 2003 9:42 AM
To: dwarkeeperat_private
Cc: vuln-devat_private
Subject: Re: Research on Source Code Review -C


Dwar-

I don't know if you have looked at any of these sites.  They actually 
contain tools & publications for source code analysis and review.  You
may 
be able to use some of their literature and/or documentation to develop
a 
set of guidelines.

http://www.cenzic.com/
http://www.cigital.com/
http://www.dwheeler.com/flawfinder/
http://www.securesoftware.com/

Cheers.

-Nicole


<snip>

Am looking to develop source code review guidelines for code written in
c/c++. I have found a few documents on the net but nothing that could be
really followed along to do source code review. I also wanted to know
what people in the field are actually doing and also if they could
provide first hand experience as to what all they look for and how.

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Next message: JohnnyRun: "shellcode with standard characters"
Previous message: dong-h0un U: "Re: Small buffer format string attack"
Maybe in reply to: dwar keeper: "Research on Source Code Review -C"
Next in thread: Steven M. Christey: "Re: Research on Source Code Review -C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 12:12:46 PDT